Information security is a vast field and it can be difficult to determine where your efforts will do the most good. Even when controls are implemented it is often difficult to determine whether they are working as expected or they are achieving their objective. The 20 critical controls have been built to provide guidance and address those areas that will improve the over all security of the organisation. They won't solve all your problems, but they have to potential to solve many of your problems.

The controls were built by a wide group of professionals and were designed with some guiding principles in place.

Defenses should address the attacks that are actually occurring today

Automated - We all have limited resources and by automating tasks we can achieve more.

Root Causes - The controls attempt to fix the root cause of the issue resulting in a compromise.

Metrics - A mechanism by which the effectiveness can be measured

http://www.sans.org/critical-security-controls/guidelines.php

The controls are divided into two groups. Controls 1 through 15 can be automated, controls 16 through 20 are broader and can typically not be fully automated. The idea behind the implementation is certainly not to start with control 1 and work your way up to control 20. The controls are designed to be implemented on their own merit and based on the risk profile of the organisation. Some of the controls overlap a little. For example if you are implementing control 11 "Account monitoring and Control" then likely you will have touched most if not all aspect of control 8. The idea is to look at the controls and what they can achieve and implement those that will do your organisation good first, before working on the others. If you decide that some do not apply in your organisation, then that is also fine. So please do not get stuck on thinking you have to implement control 1, before 2, etc. Implement those you can, it will be one more control than is currently being done and will therefore help.

Each control will have some quickwins that will help you get over the line quickly, but if you already have things in place, there is the advanced component. Something to aim for in future plans. When implementing the controls make sure you do not skimp on the metrics or audit component of the control. Knowing whether a control is functioning as expected is almost as valuable as having it in place in the first place. Regarding the metrics, each control will have a suggested time period, e.g. check every 24 hours or have a detection target of x hours. Again this is a guide and whilst aiming for the suggested time is the idea, if you can only check for new devices once per week, sure not ideal, but again better than what is likely being done right now.

Over the next few weeks, we'll go through the controls and outline what has worked for us. As always we'd like you all to contribute via comments or the contact forms.